Drone fleet keylogger infection: How did it happen?

As you've probably heard by now, a rather tenacious keylogger has reportedly infected an Air Force unmanned aerial vehicle command center at the Creech Air Force Base in Nevada.


As you've probably heard by now, a rather tenacious keylogger has reportedly infected an Air Force unmanned aerial vehicle command centre at the Creech Air Force Base in Nevada.

These unmanned drones have become increasingly important to US military efforts, used to both gather intelligence and to launch attacks, such as the controversial killing of US-born militant cleric Anwar al-Awlaki last month. One New York Times report states that the Pentagon has roughly 7,000 aerial drones currently, up from less than 50 a decade ago, and that Congress seeks nearly $5 billion (£3.17 million) for drones in next year's budget.

According to reports, the keylogger was detected about two weeks ago by the military's own intrusion prevention systems and host-based firewall. While the military has tried to remove the suspected malware, it keeps returning.

"The first thing I thought when I saw this was that it was a keylogger on a ground-based system, not on the drones itself, which is a much less scarier scenario than having a drone system, which could be theoretically disconnected from control at any time, infected with code," says Chris Wysopal, computer security expert and CTO of application security firm Veracode.

With no clear answers yet as to how the keylogger managed to finagle its way on to sensitive and classified systems, questions remain about the code's genesis and intent.

Dave Lewis, security researcher and contributing analyst at the security research firm Securosis, says he "has his money on a contractor" as the culprit. Lewis said that the challenge there is that contractors are trusted advisors, often with minimal background checks, who are more apt to break policy and use systems not managed directly by the government. "They have the means and the opportunity," says Lewis.

Others, such as Gartner security and compliance research director Ian Glazer, wonder if the keylogger could be the military's own software, placed on the systems as someone's idea of how to conduct "oversight" on the systems.

Computing expert Miles Fidelman posted his thoughts along similar lines on a popular security mailing list: "After seeing this, from a few sources, I'm reminded that there are a couple of vendors who've been selling the Defense Department security monitoring packages that are essentially rootkits that do, among other things, key logging," he wrote. "I kind of wonder if the virus that folks are fighting is something that some other part of DoD deployed intentionally."

Others speculate that the infection vector most likely came in through the mistakes traditional users may make, such as plugging in an infected removable drive, or surfing to the wrong website.

"Just because classified systems are air-gapped doesn't mean that people aren't making the mistake of plugging in USB drives and doing other things they shouldn't," says Wysopal. Also, it's possible for these types of systems to become infected during upgrades and system updates. "If it's custom code, traditional scanning of storage media may not detect it. Essentially there are many ways for this type of thing to happen, despite the systems being on relatively controlled networks," he says.

"Recommended For You"

Stuxnet threatens 'well secured systems' Conficker worm torpedoes French navy